Beware the (Online) Game

Playing online games does not really sound like much of a security risk. Whether it is a first-person shooter game, a game where one hunts mythical creatures, an MMORPG, or some sort of simulation, the security concerns often appear minimal. There are two major problems with that idea.

The first big issue is that gamers are seldom encouraged to create complex passwords. That’s reasonable from the game creator’s standpoint because they want people to get in and play! Making that difficult might reduce the number of gamers of the time they spend playing: neither is good for whatever funding mechanism the creators use: more players more often means more revenue.

If the games allow “in-app purchases” simple passwords may allow evildoers to spend the money of others. That is not a big security issue in and of itself. It could be if the attacker could access a player’s payment information, but that only impacts the individual with the weak password.

The real problem is that “a chain is only as strong as its weakest link.” So if one uses a weak password on a game (or somewhere else), it may lead to issues for other users.

What if an attacker could access and account and impersonate the account owner. The owner (or his or her character) might already be trusted by other users and consequently the attacker would be also. The bad guy could arrange a meeting with or perhaps coax information from other users based on that trust. This means gamers must not fully trust the identities of other players to be constant, and that lack of ability means they cannot trust those identities really at all.

That brings us to our second issue: people tend to re-use passwords. Up to 70% of internet users use the same password in two or more places. Combine that with the weak passwords gamers often use, and a problem becomes apparent. It is an easy problem to solve: I have discussed before the necessity of using random passwords. Password managers make that easy and also can fill in passwords on specific sites thus lessening the barrier to getting in a game or other site more quickly.

And while the problem is easy to solve, it could have serious implications. A user may use a password on multiple games, at work, or even at a financial institution (but that is far less likely as many of them require frequent password changes).

Most government agencies and companies have rules about passwords and using the same one for work and at home, but with the huge amount of password re-use, it seems likely that there is at least some re-use of personal passwords at work.

For additional perils of online gaming, check out https://venturebeat.com/2019/07/24/the-video-game-industry-is-a-black-hole-for-cybersecurity/

In Learning Tree’s System and Network Security Introduction Training we talk about core elements of cybersecurity, one of which is authentication which is used to prevent impersonation. The weak passwords often or even sometimes used by gamers, in particular, makes impersonation easier, whether in the game or on some other site. Either can lead to adverse consequences not only for the individual with the weak password but potentially for others as well. Good-quality authentication is as important with games as it is with any site.

To your safe computing,

Update: After completing this post, The Hacker news reported a significant breach of the information about players of ‘Words with Friends’.